pull down to refresh
322 sats \ 2 replies \ @zuspotirko 6 Mar 2023 \ parent \ on: Novel ECDSA attack: 773 wallets broken bitcoin
You are mistaken.
The DSA signature scheme is assumed to be a EUF-CMA or sEUF-CMA hard problem. However, after decades there has been no formal proof to be reducable to the DL-assumption (or Computational Diffie Hellman assumption or Decisional Diffie Hellman assumption). We also think that the mathematical problems on an elliptic curve and under Zp* are equivalent.
This is in stark contrast to the Schnorr Signature Sheme where there is a formal proof in the random oracle model under DL assumption to be EUF-CMA.
Any news about findings about DSA in Zp* or elliptic curve are worrisome. We basically wish that there shouldn't even be something to talk about. Especially any hints that there is a connection between signature, nonce and private key. Which is what this paper hints at.
To people that aren't familiar with cryptography: This might sound chinese to you. But what we're talking about here realistically is that in a few decades somebody finds out that the signature scheme is reducable to DL, DH or DDH - which would be huge news in cryptography but would still mean that nobody can forge signatures without breaking DL, DH or DDH - which they can't. Also, if somebody was to find a connection between signature, nonce and private key - that doesn't mean its exploitable by PPT algorthms - which wouldn't be surprising due to DSAs structure.
Even though I understood almost none of your comment, I'm glad we have people around that seem to understand these things.
It made me read the paper and it broadened my knowledge. For that, I thank you.
reply
Not sEUF-CMA, i.e. not strongly unforgeable due to the sign flip of the s value in ECDSA, but i take it you're treating that as academic since the assumption is that that is the only malleability (still, it's a very relevant malleability!)
reply